Tuesday 30 September 2008

Secret Question, Public Answer

First, let’s get a pedantic observation out of the way: Secret Question is a misnomer. If you think about it, it’s the answer that is secret, not the question.

The problem with secret questions is that they are often a backdoor to your account. When you use a strong password, the answer to your secret question will be easier to guess than your password. So you are actually using weak credentials.
If the sole purpose of the secret question is to reset your password (or e-mail it to you), then don’t use it, just type some random characters for an answer and forget about it. You won’t be able to get into your account using the secret question backdoor, but so won’t attackers.
If you’re afraid that you might forget your password, write it down and keep it safe (I recommend KeePass if you need a password manager).

Now if you definitely want a backdoor because you don’t want to write anything down and don’t trust your memory, there are a couple of options open to you.
If you’re not able to make up your own secret question, but have to choose one from a predefined list, then provide an answer that you can derive from the question only (think about it, your secret answer doesn’t have to make sense, it just has to be secret). An example:
Q: Name of first pet?
A: Four
Why four? Because the question is a sentence of 4 words. This way you don’t have to remember your secret answer, just the rule to derive the answer from the question. You can reuse the same rule for different accounts, it will generate different secret answers for different secret questions.

If you can provide your own secret question, then I recommend to use math. An example:
Q: How much is 3 + 7?
A: 20
Why 20? Because your secret rule is to double the result to obtain the correct answer. 3 + 7 equals 10, 10 times 2 equels 20.

Secret answer rules can be as hard as you want, but complex rules are more likely to be forgotten…

>BTW it is possible use password database created with Windows’ KeePass on Linux too, with KeePassX (www.keepassx.org)
Thanks, that’s one of the reasons why I recommend KeePass, there are even versions for PPC/Smart phone, Windows PE, … http://keepass.info/download.html

>its easier to bruteforce, trying 0-1000 takes only minutes, numbers 0-100 are in every bruteforce dictionary anyway.
Correct, that’s why my first recommendation is to disable secret questions by typing a string of random characters. Secret questions are not safe, avoid them.

As for keeping my password safe – I prefer to use the hashing method. Check out the Firefox addons Passmaker and Passhash. The concept of a database-less password system has a few advantages which I like. Unfortunately no one seems to have done a proper (3rd party) analysis of any such system, although I can imagine a few attacks.